20e4b6c4a280d5d3acda0e4f65a73b6d163759c14cfc4db3fbcced263d5c07ba

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2862be1a8429f6bc13e44728babc3eab.exe
Size

677KB
MD5

2862be1a8429f6bc13e44728babc3eab
SHA1

54241924313efb5eb06c7d6b10972b06cb48a2e8
SHA256

20e4b6c4a280d5d3acda0e4f65a73b6d163759c14cfc4db3fbcced263d5c07ba
SHA512

8ff4b6fde0ca59a0bd7187dc52938bc142f74eb74d125815e9772d581e4385ae56895d97584a41092ab573ed2dca2383d56020b33ee1458d6ed0375cde8c1fa6
SSDEEP

12288:2kN85mzBp8vfAU6Ag45U5Bj9r6nPfYg+JFXvG1FfDUqOMw/ndlU1LakFO/xlyA:2kN3U69D5BYnI71vG1JROMYbU12kFMlx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1276	1432220482.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	2862be1a8429f6bc13e44728babc3eab.exe
2812	2862be1a8429f6bc13e44728babc3eab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3304	1276	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1316	wmic.exe
Token: SeSecurityPrivilege	1316	wmic.exe
Token: SeTakeOwnershipPrivilege	1316	wmic.exe
Token: SeLoadDriverPrivilege	1316	wmic.exe
Token: SeSystemProfilePrivilege	1316	wmic.exe
Token: SeSystemtimePrivilege	1316	wmic.exe
Token: SeProfSingleProcessPrivilege	1316	wmic.exe
Token: SeIncBasePriorityPrivilege	1316	wmic.exe
Token: SeCreatePagefilePrivilege	1316	wmic.exe
Token: SeBackupPrivilege	1316	wmic.exe
Token: SeRestorePrivilege	1316	wmic.exe
Token: SeShutdownPrivilege	1316	wmic.exe
Token: SeDebugPrivilege	1316	wmic.exe
Token: SeSystemEnvironmentPrivilege	1316	wmic.exe
Token: SeRemoteShutdownPrivilege	1316	wmic.exe
Token: SeUndockPrivilege	1316	wmic.exe
Token: SeManageVolumePrivilege	1316	wmic.exe
Token: 33	1316	wmic.exe
Token: 34	1316	wmic.exe
Token: 35	1316	wmic.exe
Token: 36	1316	wmic.exe
Token: SeIncreaseQuotaPrivilege	1316	wmic.exe
Token: SeSecurityPrivilege	1316	wmic.exe
Token: SeTakeOwnershipPrivilege	1316	wmic.exe
Token: SeLoadDriverPrivilege	1316	wmic.exe
Token: SeSystemProfilePrivilege	1316	wmic.exe
Token: SeSystemtimePrivilege	1316	wmic.exe
Token: SeProfSingleProcessPrivilege	1316	wmic.exe
Token: SeIncBasePriorityPrivilege	1316	wmic.exe
Token: SeCreatePagefilePrivilege	1316	wmic.exe
Token: SeBackupPrivilege	1316	wmic.exe
Token: SeRestorePrivilege	1316	wmic.exe
Token: SeShutdownPrivilege	1316	wmic.exe
Token: SeDebugPrivilege	1316	wmic.exe
Token: SeSystemEnvironmentPrivilege	1316	wmic.exe
Token: SeRemoteShutdownPrivilege	1316	wmic.exe
Token: SeUndockPrivilege	1316	wmic.exe
Token: SeManageVolumePrivilege	1316	wmic.exe
Token: 33	1316	wmic.exe
Token: 34	1316	wmic.exe
Token: 35	1316	wmic.exe
Token: 36	1316	wmic.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe
Token: SeManageVolumePrivilege	2916	wmic.exe
Token: 33	2916	wmic.exe
Token: 34	2916	wmic.exe
Token: 35	2916	wmic.exe
Token: 36	2916	wmic.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1276	2812	2862be1a8429f6bc13e44728babc3eab.exe	34
PID 2812 wrote to memory of 1276	2812	2862be1a8429f6bc13e44728babc3eab.exe	34
PID 2812 wrote to memory of 1276	2812	2862be1a8429f6bc13e44728babc3eab.exe	34
PID 1276 wrote to memory of 1316	1276	1432220482.exe	21
PID 1276 wrote to memory of 1316	1276	1432220482.exe	21
PID 1276 wrote to memory of 1316	1276	1432220482.exe	21
PID 1276 wrote to memory of 2916	1276	1432220482.exe	33
PID 1276 wrote to memory of 2916	1276	1432220482.exe	33
PID 1276 wrote to memory of 2916	1276	1432220482.exe	33
PID 1276 wrote to memory of 2412	1276	1432220482.exe	32
PID 1276 wrote to memory of 2412	1276	1432220482.exe	32
PID 1276 wrote to memory of 2412	1276	1432220482.exe	32
PID 1276 wrote to memory of 3528	1276	1432220482.exe	31
PID 1276 wrote to memory of 3528	1276	1432220482.exe	31
PID 1276 wrote to memory of 3528	1276	1432220482.exe	31
PID 1276 wrote to memory of 1280	1276	1432220482.exe	30
PID 1276 wrote to memory of 1280	1276	1432220482.exe	30
PID 1276 wrote to memory of 1280	1276	1432220482.exe	30

C:\Users\Admin\AppData\Local\Temp\2862be1a8429f6bc13e44728babc3eab.exe
"C:\Users\Admin\AppData\Local\Temp\2862be1a8429f6bc13e44728babc3eab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\1432220482.exe
  C:\Users\Admin\AppData\Local\Temp\1432220482.exe 6^4^5^5^3^1^1^9^0^2^9 KUxEPzo1Mi8gLUpPPktEQTwvFy9MPE5TSk1ISEM0MR4mPkVOT0ZDPCw0MhcpP0Q/Oi8fJlBQRj5RPk9cSEM0NDQoGitOQE9VRElfU0lGOWNvcW85Ji9xaXAqP0BQSixLT04kO0xLKUZNRUYgLTpGRT5GRkM8Fy9CKDcwLCs0NjUpIC07LDksMC00HyZEMTQnLRsqQTM8JDEeJj4xOCguHy5HUk07Tz9PWk1RSE1BQVA3HCpLT05DTENSVj9RRzw6Hy5HUk07Tz9PWktATDw9ZmBeYSAtLWBrYyUwJ2NsIC0tMS8oNSwnLSosMSIxLyg1LiorMhsqQldEVlVQQzccKkBVRF46TUJDQ0pAOB0uR0ZTUlY8TkpSUERRNDAeJk5EPElIWE5MX1NJRjkbKlNMPCkgLTtNLTgbLFFURVRHRD9bUkBJQk5ERUdEO0NAUE9LPBcvR0pZTlBJUUhMPD1yaW9hGypPRFNMUkxASENaUFBEUVZEP1BNOS0bLEdIO0VWNCscKkRQXkNQTj9EQz9aQEtCUVBQUjw+OWFcaXJkFy9CRlFKR0o+Q15AUDspKzIpLDAvLSg5MCUrLBsqUUhMPD0vKy0uLS0wMDEpIC07SVNJR0xAQ1ZUR0Q/OTAqLzAuKTAvLCQvNS8yOTEpKk5EGitQPDpMbnFpamNbIS1hMS0vIihhZmdsXG9mYWtcJTFZJUlOREIqNSUwIypcJ1Jka2NubnMpRU4nMCkuJDJZK1FNKyEuXSgtTTxUKTpGTiYsKzAtKzMwKSMcKlBPSzxfdHJnHy9cIC9lJClmZVxuLSkrLjAwW2VxYGFqKWRrZW4cMmRJb2pPZGpkQ2Z3bGNpXV9IXm1gXmVwVl5ha2dseCQpZi8rLS4tLTAwMS8lMF1ea3JpaW5gW21fZVtjYG0iMWUoNDEpLC4uLC83JCpmMzAzMzQzMDUwKThXY3JuRmQ1MmFLYy9ETj1jUndQdEJ5dWFUZnJ0SWh2W1pSUGlEaCxwYWxBdFZkbmhSaE9jTmQxaVtALWteVEFvP1Z1bEh2SHFIQ0hsTFFqXlQ+MzBMQ0RvSzkrXl5oU1lgZE5nWUBoalNBUWdQRnZgQnZAdUhoc1BZMExdR2VEcEsxW29HOmVvRnRgcEtKcy5DPWNwRVBmdT9DbXBGPzNxSVJyaEtBL15VUj1tYVNqcQ==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1276

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703786471.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1276 -ip 1276
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 844
1⤵
- Program crash
PID:3304

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703786471.txt bios get version
1⤵
PID:1280

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703786471.txt bios get version
1⤵
PID:3528

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703786471.txt bios get version
1⤵
PID:2412

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703786471.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse43C1.tmp\bydqoko.dll

Filesize
158KB

MD5
4f2b89f85fa5dec2d097de866873974d

SHA1
c2ecf4e4349632ec0146d3d5abc885be1137b0b9

SHA256
3e3de62c39ffb9eef3584d94a93d588691f9fa57e2c72ddd117a491949b479e4

SHA512
ff19ba1aab9f11a8241836325a5c834487dbff366d48b7970e518a477b23c8d13c47dbbc3407b0fe50b18c1ef2e8cbfce511b0e99a1cdb929f50d8dc208945dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse43C1.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit